TWI311018B - Multivariable public key systems - Google Patents

Description

1311018 IX. Description of the invention: [Technical field to which the invention belongs] This publication is filed on January 19, 2005, and the US provisional patent application (name: Multivariate Public Key Cryptosystems, serial number) Priority request in :60/642,838), which includes complete references for all purposes. The present invention is related to asymmetric cryptographic communication processing, particularly multivariate public key cryptography (MPKC), for providing secure communications and secure authentication or signature. [Prior Art] The public key cryptosystem fundamentally changes the modern communication system. This revolutionary idea was first proposed by Diffie and Heilman, but the first available weight system for this idea was the famous RSA system proposed by Rivest, Shamir and Adleman (US Patent: 4, 4, 5, 829) , 1983). The number of public cryptosystems is such a type of public silk code system, whose construction το is a polyvariable polynomial, and in most cases is a quadratic polynomial. This side A relies on the following proved theorem: solving the finite-body multi-variable polynomial equations. This theorem provides the possibility that multivariate public passwords resist the intensive attack of the device' while rsa is not resistant to quantum computer attacks [SP]. Because it is calculated on a small finite body, multivariate public passwords are generally much more effective than RSA. Ι3υ〇1*8 Early attempts to construct multivariate public key ciphers such as Diffie and Fell [DF], and Shamir [Sh] failed. The new multivariate cryptosystem design began in 1988 with Matsum〇t〇 and Imai [MI]. It wasn't until 1995 that Patarin defeated [P] that the design had been considered promising, and many new systems were inspired by this work. 1) Reduce one plus promotion [CGP1]. This is the simplest idea of all the ideas, that is, removing some quadratic polynomial components in the cipher (minus method, first suggested), and/or adding some randomly selected quadratic polynomials (additional methods). The main reason for implementing the “subtraction” operation is to improve safety [3 prints. (The "minus, only" subtraction method is very suitable for the signature scheme, because there is no need for a document with a unique signature, which is not like the decryption process. Sflash[ACDG, CGP] is a

Matsumoto-Imai-Minus ("minus" Matsumoto-Imai) cryptosystem. NESSIE (New European Schemes for Signatures, Integrity, and Encryption) in the Social Technology (jnf〇rmati〇ns〇ciety) of the I Committee, which was selected for one year after three years of evaluation. A safety standard for low-cost smart cards. 2) Hidden body equation method (HFE) [P1] Patarin considers this method to be the strongest. However, some new algebraic attacks using the Minrank method and the relinearization method proposed by Kipnis and Shamir [KS] show that a particular parameter in the method is not too small, but if it is too large, the system is very slow. HFE holds patents in Europe and the United States (US Patent: 5,790,675, 1998). See 叩]. A new system proposed by Wang, Yang, Hu and Lai recently is also related to this family of passwords [WYHL]. 3) Oil-vinegar method. (Balanced) oil-vinegar solution and unbalanced oil-vinegar plan [P3] [KPG] is a new concrete structure of the signature scheme. Kipnis and Shamir defeated the balance scheme [Shl]. Unbalanced schemes are generally not very effective because the signature length is more than twice the length of the document (or the hash of the document). 4) HFEV. The basic idea is that on the jjFE method, adding some new external variables makes the system more complicated. This combines HFE and oil-vinegar solutions (4) (Dingjintai) and Schmidt [DS3]. It has recently been observed that attacks in [KS] can also be used to actually eliminate a small number of newly added variables and attack the system. The signature scheme Quartz is used as HFE—“minus, scheme, signature length is very short, 128 bits [CGP2] 'but it is quite slow. Another family of multivariate public key ciphers is the triangular structure proposed by ττ· M〇h [ Ml] 'It uses a special triangular reversible mapping (Temperature Transform). This method is named tame transformation method (TTM). (See US Patent 5, 740, 250, 1998.) Courtuis and Goubin attack the system using the minrank method. [CM]. But the inventors of TTM rejected the assertions in [CM] to give a new implementation to support their views. After that, Ding and Schmidt [DS1][DS2] found that virtually all existing implementations There are a total of 1311018 common defects that make them unsafe. Recently M〇h also proposed a new scheme [MCY] 〇 There are many similar but simpler ideas to construct a signature scheme (called tts (tamed transformation signature)) Try. Among them - this is mainly proposed by Chen and his collaborators [YC] [CYP]. [YCC] proposed a new structure of TTS, but was defeated by Ding and Yin [DY] C[YC1]

Another new version. A similar construction is proposed by [WHLCY] (U.S. Patent Application No. 20040151307, 2004). The original idea of internal disturbances was first proposed by Ding (US Patent Application: 20030215093, 2003). This idea was applied to the Matsumoto-Imai system mentioned above in the literature [D]. However, this application was defeated by Pierre_Alain F〇uque Louis Granboulan and Jacques Stem [GGS] as the knowledge of the advancement: "We proposed the internal disturbance-plus" method in this application. As an example, we applied it to Matsiimoto. -Imai system, we show that it can effectively resist all attacks [DG]. Another upgrade is enhanced internal disturbance, applied to HFE fDSy. Our general multi-layer construction is first applied to the oil-vine vinegar scheme, and the rainbow system is established. [DS4] [YC1] and [WHLCY] are special examples of this general construction (but they use different construction methods). 1311018 [Invention] The present invention contains several enhancements to any MPKC generation _ safer and more efficient MPKC These methods are called "internal disturbances - plus, ^ ^ ^ ^ steal bation pluS, (IPP)), "enhanced internal turbulence, ("__ mtemai perturbation 'WP)) and "multilayer oil - vinegar construction, ("muki er er

OiVmegafcxmstru^or^Movc)). These methods can be applied in combination to generate a new MPKC. This makes the four greens (4) lang, when they are applied individually or in combination, we can: 产生 produce new and safer MpKC, even make a completely unsafe 1V0PKC safe; 2 new MpKC is more effective, And they can even work on small electronic devices such as smart cards, RFID cards and more. These new methods can be seen as effective "repair" and "enhancement, tools for MPKC. For example, for the 1988 MATSUMOTO and IMAI invention [MI], a cryptosystem that could not be practically applied due to the Jacques PATARIN deciphering [P] in 1995, We can use ΠΨ to create a new safe and very effective MPKC called the disturbed Matsumoto-Imai-Phis cryptosystem (PMI+) [DG]. In summary, the present invention includes the following findings: 1. Inventor Submission Three new methods that anyone can apply to existing MPKCs to produce a safer and more efficient MPKC [DG][DS3] DS4]. 2. The inventors have shown that these methods can be combined in various ways to create safer generation. And the effective new MPKC's new circumstance makes it possible to describe the invention in a specific embodiment, but it is clear that for those who have undergone cryptography, it is possible to formulate these forms. Many variants, substitutions, and modifications of the examples. Therefore, the ^Huajian provided in the Tan Tan is shown as _, this issue _ situation, the record is not mixed with the spirit of the invention and the changes of the _ are within the scope of this issue _ priority transfer . [Embodiment] 1·Internal disturbance-force π method (ιρρ) The basic idea of UIPP------------------------------------------------------------------------------------------------------------------------ The section will show the specific 妍 of the swollen application, the domain Mats.Imal to generate the lion internal disturbance Mats Cong oto know _pius cryptosystem (PMI+). The reason why the disturbance 4 is used is very similar to the physical meaning of the disturbance, meaning intentional The land is given to the department, and a small-scale "noise" is used to see how the system is under-represented. Therefore, the new information of the system itself is derived. The key point is that the controllable party must be f_, 峨The secret of the secret has changed. Our method is indeed to add to the cryptosystem, random "small," "noise," to make the system more interesting. The disturbances include the US patent application (10) over the lake, submitted by the county, and the Japanese patent application (10). The new Qing is the previous _ square _ advance-step upgrade, enabling the material system to resist the new differential attack [FGS] [DG]. Suppose there is - the variable face code is pure. The public correction - a finite body of a q element (1⁄2) k and a low (4) owe on the group (then solid) k η 兀 polynomial (you, ..., X genus, also composed. Anyone can know Public record. The public transformation of the record used to encrypt the message or verify the signature or authentication information is the given value of the η-dimensional vector representation on k, which is calculated (you'..., XJ,...,/九" , '(yi,. ; for signature and message authentication, also need

Verify that this flaw is indeed the given signature or authentication code (it is a finite body or %k last m dimension), and if so, accept the legality of the signature or certification information, otherwise refuse to accept. The secret transformation or counting is on any given finite body or ring k on the ▼...'UHJ 111 *5^ vector γ=α,..., where), finds (/ϊ I i( ([^,... , ^^ η-dimensional vector X = (Xi,...,xj process. This love is decomposed into three transformed composites < and to make (/;(A,·..,xj,· __, /mh,...,')) can be..., /^,.../^/^.^, (4) The secret key knowledge ^. The composite 'W phase representing the transformation is the composition of the kin and the secondary solid elements. Reversible ray-like transformation of vector space, & xj = '...,'),···'旯(xu ·,.,')) is another polynomial transformation 'has a fast algorithm to effectively calculate its strong 1 'The price of the place, the existence - the speed algorithm, 11 Ι 3 Π 018 for any, can effectively calculate a value of Α,, 士 (~ (8) Χ 'Ί':). Only legal use can get a certain The private secret transformation or calculation process is either decrypted—(4) interest, or generated by a publicly validated legal signature or authentication code. Shi Shao to 1* and “each parameter, the method can be generated New multivariate public Where r and MA system dense ○: Is two positive integers.

An example of a new multi-variable megalithic horse system for a fixed r and α ' is as follows. This new Ximai number public fee code system has a new record: the same body or (loop) structure of k as the original kiss kc and a new set of the same low number of times (d Α open transform or calculation becomes calculation The public polynomial (((V"'xn)'..., /+m+e(Xl,...,xn)) = (the process of the value of um+j. Now the new secret calculation requires a new secret secret Recorded (factory 1 ('"_'4„),...'/two (11,.."1„)) = 4.#.11(11'...,^), where 4,1 ] respectively, is a random or specific selection of reversible ray-like transformations in the vector space of the composition of +α and !! elements, which is a random or specific selection of 'Zi,, _., the linear part of Zf as a line The sexual function is linearly independent, ice, ... do ^...^ is random or special 12 1311018 do not choose, ν Ά variable, the number of times this ···, ., illusion of the butterfly Φ polynomial, 1 4, ^1, ···^ is also random or special times less than or equal to _ polynomial., choose the heart, ^ is the variable (4) 2 decryption and generate a legal green or authentication code for the new county transformation or calculation becomes a read-touch To the meaning of 'foot (m., /+ (,,)) 7 (of; ^ m Find the value of m+aG,..·,n)) y =(~·"υ (or one). The process is completed by the legal user through the following steps. /First, the legal user counts 1(r), Get the intermediate value r, +=(A,4). Then select all possible #W (total performance) one by one, so that + calculate y gm(^v.., Zr) with the algorithm in the original cryptosystem) = (χ"1ν..5χπ^) 杳甘^Every 丨 'Legal user counts a message 丄' 丄' shape ^^' check - 疋 No ((咐,...〆'"),..,^ '"...〆,』,'- Leave this; r+ 'Otherwise discard. For the above-steps to be preserved (Λ,..·,χ,υ, the legal user calculates a (xvyj. The value thus obtained may be decrypted) After the message, a valid early sign or a valid authentication code. This morning item, 2,), i=l,, n, can be considered as added to the system. Polynomial Pi (x, , i = 1, ., a, can be considered to be derived from the known method proposed by Patan et al. [CGP1], plus, polynomial. 13 1311018 1.2 An example of a perturbed Matsumoto-Imai-Plus cryptosystem: IPP method in Matsumoto-Imai cryptosystem This is based on the work of the inventor [DG]. 1.2.1 First we give Matsumoto-Imai MPKC [MI] 〇 Here we set k to be a finite body of q elements, so 々 is a finite body of feature 2. We select an η-time irreducible polynomial in the polynomial ring k[x], and we can obtain an η-th order expansion K of the body k, K = k[x]/g(x) ° 每 each element It can be uniquely represented as a polynomial with a number less than η. There is a bijective φ between the vector spaces composed of η elements on k and k, defined as Φ(W + ···+ ) = (a., A. Find a positive integer β between 0 and η + , define a new transformation household on K: household (especially) = especially / + |. The household is a reversible transformation, and the households are = = Γ, where %e+i) = im〇d Π. Let, ·..,') be a mapping from r to r, defined as = (7;(11,_..4),..., again (11,...,1/1)) = ( 1). Household. 〇-知,, &), here plus,...,χ„), 卜 l,..,n, is a quadratic (d=2) polynomial of X,,·..,' as a variable. The two randomly selected reversible ray-like transformations on r are defined as: where each polynomial is quadratic (d=2).

The encryption process of the Matsumoto-Imai cryptosystem is as follows: If B〇b wants to build his own Matsumoto-Imai MPKC, then he should have the “publication” that anyone can easily know, including 1) addition and The body k of the multiplication structure; 2) n two \ eve items / ΙΟρ·.·'·^),···, /^,.·.,'). If anyone, such as AHce, wants to send a secret message given to z = (Xl,...,xj to B〇b, she will first get the surplus and then calculate the value (/^"..,Xk )".., /a,.,,xJ) = ^^^^^ Encrypted message.

Bob’s “private” to be robbed includes two ray-like transformations. The parameter can be used either as a public-part or as a private part, because guessing it is not difficult (only n choices, and ^ would be too large). Now that you have received the news from the intestines, you will need to perform the following steps to decrypt it: ) Calculate α, .❿,, small · n) Calculate l2 (>v..., eight) = (Χι,·Ά), and get a secret message. With =. Already __che__ so no L2.2 now we will make the p method to get the new safe d G]. The multivariable public of this mine is given below. The coffee is the integer (9). %, pick an example, the mouth is positive r, randomly or specifically selected ", detailed! · A ray-like function Shanghai 1 = 1, ·., ~., the ergic part as a linear function 疋 linear independent. Here define the mapping 2~(Zls) ° randomly or specifically 15 1311018 Select nlX to think that the number of variables is less than or equal to d polynomial f 'also randomly or specifically select "a number of times with a variable less than the reward d" The polynomial ring, .._w.., a." Our % of this new multivariate public key cryptosystem is the perturbed Mats_to-Imai_pius (PMI+). It has - Jing (10), including: Yuyuan

Matsumoto-ImaiMPKC - the structure of the body U from the 1 丄.../like k; the upper-group of the same low-order (secondary) facet: ((, , public computing for encryption or verification) Calculating this-group polynomial now the new secret calculation requires a new _ dense secret ie (/i+ / ^ 1 11..., xJ 'where A is the previous one and the reading __ 敏 玎 仿 仿 仿 射线, Ρ Ρ (Χι,···,"°'·,.,^(Α,··.,χ„)). The encryption process is as follows. Publicly available “publication, including]) body k and “medium Addition and multiplication structure; 2) η+α secondary dims with the vector ~") given the message, then count the value of the coffee, . . . , / >%)),, · After the message. _, ~···, ~. ") is added only for legitimate users, "keys include .1" & and &2) _ 16 1311018

In order to decrypt, the new secret calculation becomes a process: for the given 7+=(1., find satisfaction (^...,^..., /^'.^〒',·., where ^ The value ^~..... is implemented by a legitimate user by performing the following steps:

1) First, the legal user calculates ZH and gets the intermediate value γ=〇Λ,, person). 2) Select all possible 2, one by one, [=1, .., 1_ (total/possible), use the original] Viatsumoto-Imai algorithm calculation

3) For each π 'legal user calculation ((chuan. Check if there is ((Α«, ..., meaning"丄" 凡ον·. 〆'"))=0 /Π+1 5 ...,χ «), .., /^(工'彳丨,...,乂')) ' ...乂+J, if satisfied, bei ΐ keep it, otherwise discard it; and 4) for the previous step (χ, \,, 〇, the legal user calculates ν(Λ"·〇' and the resulting value (Χι,·,Χη) is the decrypted message. Here you must carefully select the integers r and ", make sure they are large enough to withstand the recently proposed difference. Attack. Here we ask 1* and 〇; neither can be too big. When α is too large, the system will become unsafe, especially in the face of Gr6bner base type attacks, such as XL and 匕6 acting 17 I3110J8 algorithm. When it is too large, the efficiency of the system becomes too low. 2. Enhanced internal disturbance method (EIP) 2·1 The basic idea of EIP

We will give a second method called enhanced internal disturbance (ΕΙΡ). First, we will give you the basic idea of ΕΙΡ and an example of ΕΙΡ application, which will be used in the HFE cryptosystem to obtain the so-called internal disturbance HFE cryptosystem (IPHFE) [DS3J. This is also the idea of using perturbations. But different from the first method is: The first method can be considered as direct disturbance, it just adds the new polynomial as "noise" to the original system, and the enhanced disturbance goes further, it is not just adding Polynomial and it also mixes "noise, polynomial into the original system. Suppose there is a multi-variable male-wire system as a (four) communication process. The registration of this code system includes the structure of a q-ary finite body (or ring) and m η-ary polynomials of the number of times k (dϊ(Χι,,.·,χ丄, For the representation of a finite body or a transformation in the ring k, it can be simplified or added to the signature, and can also be verified in the signature and certification. The public transformation is: the value of the η-dimensional vector on the χ To verify this p&"···'·>〇-γ. For signature and message authentication, Wei is also required to give 岐 or authentication code (it is a finite body 18 Ι 3 Π〇 18 or ring k - The m-dimensional vector r) 'If yes, accept the legality of the signature or authentication information, otherwise refuse to accept. Secret transformation or calculation is a process: for the finite body or ring] ^ m-dimensional vector Y = (yi, .._, yJ, looking for satisfaction (you, ^ η dimension 篁X = (Χι,.··,Χη). This requires decomposition of (ca,,仏,,~)) into the knowledge of the secret, here Representing the transformation of the transformation, from the reversible ray-like transformation of the vector space consisting of n and ^ velocities, respectively.

Shout, ...Thai 1 (^.4 is another - polynomial transformation, there is fast algorithmic effective singularity calculation (four) anti-pod ship, existence - weaving speed algorithm, body can effectively calculate i meet %, good U Yu only legitimate users can get a given secret secret or calculated money to decrypt a message, or to generate a legal signing certificate for a publicly available certificate. New: =: The method generates a new multi-variable public cryptosystem. The fine-grained code-handling is an instance, which has a new set of public multi-order / Γ丄. "(^)). This new set of polynomials has new faces, that is, adding random or specifically selected ones: 1_, ') by ~··, ') at the same time 2 ', the number of cafés is less than or equal to d polynomial, get _: lose ^ The case where the low-order term is multiplied and mixed once is a polynomial case, and the household (WJ has 19 1,·-,·^), to (3⁄4 (ζι,·.,\)), |j υ V 1 1 "·'Γ, is randomly or specifically selected, the name is χ; the function is linearly independent; you choose, with ~·'"minor number, - owe / (four) 1 -,.., η, is random Or a specific horse (a polynomial with a number less than or equal to d; a choice for a particular object, ^; 7 _ term, % 疋 random or specifically selected for the Thai... έ) only by , , , The constant part is composed. This new MPKC has a belief process, i.e., there is a new publicly transformed cipher i| that is, a finite body or a new multivariate polynomial of the time on the ring k is called through the U-m-dimensional vector γ. ..., eight (w) means to become] ^ two new 臆C have a new secret mother with a new secret transformation. 釭, that is, by secret knowledge, ..., recognize. 4, reverse transformation m, /, /%,,..4) comes to -, also..., recognizes, eight ("XJ", and thus the value of the determined value X from the value Y. This can be done by knowing the following steps for the face or the finish. Execution 20 l3ll〇l8 1) The legal user calculates 硿(7) to get the intermediate value: ^ to eight,, /"; 2) Then select all possible z, one by one, i=i,..,Γ (total < Possible), ~ in (", "(~....(烈~...(4)+文~知仏,·.·,')'.,··., i=l ^••.jj+lx, .^,...,^.), and we also ask to calculate the inverse of ☆:)(',,χ) and calculate the coincidence,..., the inverse of 0 is as easy; and 3) the last step is to calculate WV ../J, thus getting a value (χι,, &) 2.2 An example of EIP applied to the HFE cryptosystem: Internally disturbed ΕρΕ cryptosystem (ipHFe) The HFE cryptosystem is patented by Patarin MPKC. The patent was included in France in 1995 and was filed in the United States in 1996 (US Patent No. 5,790,675). The HFE [P1] cryptosystem relies on a special parameter 〇. However, Kipnis, Shamir, Courtois and Faugere [C][KS][FJ] Recent work shows that D can't be too small. But as D grows, the system will become very slow. As an example of Ειρ applied to HFE, IPHFE can get a new effect. A higher rate cryptosystem [DS3]. 2.2.1 HFE cryptosystem. The hidden body equation cryptosystem is also proposed by Patarin [ρι], which he believes to be the strongest m system _ _ _ __ — (4) cryptosystem

A 21 I3110J8 system. It is assumed here that k is a q-forest limit and its characteristics are not decremented by two. Finely select a n-time irreducible polynomial (4) in a k-single-style & k[x]. Thus, each of the elements in the K-k[x-threat) that is stopped by k to n times can be uniquely--a polynomial with a number less than ^. There is a bijection 1 between the elements and the inward space, defined as . We define the function on κ:

9, +gJso F (X) -. £4?V'P, '+C' where the coefficients of the polynomial are randomly selected. The highest number of times D cannot be too large. Although L children's F is no longer bijective, we can find the inverse of the household, that is, the constant - Y', we can solve the polynomial equation lang = r by the Xiang Berlekamp algorithm. Due to the consideration of the shouting (four) algorithm, the number of times D is not large. The frequency (four) calculation will become impossible. The mapping from 々疋r to F is defined as household (6,...4)=(do Χ1, _, χη), _.., ζ(Λ1,. 4,,'), this Η,.., η, is, (,), „ is a quadratic (quad) polynomial of the variable. Let the two-species reversible ray-like transformation from y, define the encryption process of the 2 Hz & ε 马 system As follows. The public record includes .1.

.!) Addition and multiplication structures on the body k Z ; 2) η quadratic polynomials VII 1 ... ''' You can add a message given by a vector, you need to get the public 22 1311018 and then calculate the value (/^ ,.··,Χ«),···,Λ(Χ15..·,Χ)) = ( Λ 0( , 』d·'30 is the encrypted message. The cryptographic secret' is private record , including two imitation ray mapping function households and the general K., 2, the decryption process has the following steps. After the encryption, the encryption can be decrypted as follows: 1) Calculate the genus, "; 11) ❹ Berlekamp _) = φ〇^ _ in (yes,.., less „), and m) count 4(a,,_.,')=(JCi,.._,xJ, thus getting a secret message Note that in 'Π', it is possible to get multiple solutions. This can be called an over-addition method, that is, adding some randomly selected polynomials to the system to identify the real solution, and other techniques can be used. As a hash function (Hash Function) to handle. 2.2.2 New ΠΉΡΕ cryptosystem Now we will apply ΕΙΡ to the leg to generate a new family of cryptographic cryptosystems, relying on a small positive The number parameter 1·[DS3]. As an example of this new asymmetric MME communication process, when we fix Γ 'new public polynomial becomes ("(- _ _, / upper..., U. This The new polynomial has a new cryptographic key, that is, a polynomial whose number of times is less than or equal to d, ^ 'lower polynomial and inner> gt, .., Multiply the lower order of the 〇 by mixing 23 1311018 to get: 1( ι'···'^0 = ξν;·+4,i=1,.,,r, is random or specific choice, as, ", number 疋 ', spring irrelevant; ice, A), i = 1"., n 'is a random or specific choice, think that the variable, the number of times less than or equal to d polynomial; ^"'" ^ ^, ^, ·,", is a random or specific choice of '^ is a variable, the number of times is less than or equal to the number of dj, the eigen term, Μ, one, °Ροφ = ρ(ΥΛ ?i+^° ,. ()=y ), HC is partial C(w„)qin g (the second part and the f part part of wj, and the guard cT) '1 〇 three, — is randomly selected, _ , ”'.''x„)-(wr '〇,.',〇). This new Μρκ (for plus 6, And decryption is a new password pass reduction process. The public record includes: 1) the structure of the offering; 2) a set of (4) solid) public polynomial sets of this new public polynomial and calculate (Λ(1"·" 丄.JA ,..·,~))=(Wn) The new secret key includes (t = d, bu, l.., r, F, Z^2 and the structure of the body κ, h,···, ') : 1) The legal user calculates the legal user to perform the following steps to decrypt γ= 24 I3110J8 ^heart (7) to get the intermediate value r#,...,yj,2) and then select all possible 6, 丨=1,..,1* one by one. (Total, the species may be) 'and calculate p - , ^2i>-, 2r) iy l — m ^m(^P"5-^r)) (χ,?ΐ5 ^ »+ its center..,,) (~···,化(Ζ2(~.·.Α)4Ωι,.?1;(Ζ|,.··冰乙(',,4+|>„^仏,.", 2> 1.) For any fixed value of 21,, ~, we again • Use the Berlekamp algorithm to find the inverse of #, when the 〇 is not too big, the calculation is silky and 3) the last - step is to count, heart , thus _ values (^,...4). Note that in 2), it is possible to obtain multiple solutions for ΗρΕ, which can be easily solved by applying “add, method or use other techniques such as hash function. 2,3 We can combine the swollen and ΕΙΡ method for HFE In this way, the internal disturbance HFE-plus cryptosystem can be obtained, ie φ 3·Multilayer oil-vinegar construction method (MOVC) 3.1 The basic idea of MOVC The third method is called multi-layer oil-vinegar construction. We will combine this An application example of the method, the so-called rainbow signature system, is used to illustrate this method. We will first give the basic idea and then give an example, which can also be found in the work of the hair [DS4]. The vinegar construction method (MOVC) can be used to construct multi-variable public key dense stones, different or the same type of structure of the system through the oil-vinegar structure to "dry, people from 25 l3ll〇j8 to construct a new multi-record The cryptosystem s asymmetric cryptographic communication process. Once again, a multivariate public cryptosystem is provided as the cryptographic communication process. The public key of the multivariate public cryptosystem consists of a finite body (or ring) k structure and a set of (m) k low-orders ( d, u - person) η兀 polynomial (coffee, ···, ★•, hate..., domain. Anyone can know the publicity. The authenticity of the authentication code used to encrypt the message or verify the signature or - file. The public transformation of the second s ten nose is a given value for the η-dimensional vector representation on k—( 十异(他,...,4_·.,仇仇...,(yi,...,凡丫;对签Chapter and message authentication, but also to verify that this Y is the county or face code (which is a finite body or ring k - an m-dimensional vector "), if so, the legality of accepting the signature or certification information Otherwise refused to accept. The secret transformation or calculation is a given _ vector on the finite body or ring k, and the heart is found to make (also..., ', 仇··♦ to dimension X ,··., (10) process. This needs to make (you, 仏 from the compound that is broken down into three transformations)

^^1,"',Λ:"^···Ά(Λρ···,Λ:„))~Ι2 oFo L (χ,ΛΑ i I — A _ ii,··''') The secret of the loss of knowledge, here. Represents the transformation of the transformation, A, 4 are the reversible ray-like transformation of the inward space of η and m elements on the π k, respectively, _ another equation transformation, There is a fast _ show method to effectively calculate its inverse account-1, or wait for 26 I3ll〇i8 仏, there is a fast algorithm, calculate a satisfying ρ(χ χ)^( 1, ~) for any y can effectively You can get a given secret face. Secret change & user decryption - _, to _ go - shoot public _ ^ = used for the code. Q to sign or recognize us - a multivariate password as described above Made, if in addition to transform I··, then from the t-cooling it and the process described above - variable χ eight ^ ^)) is defined as follows, 夂 double 1 ".., 'divided into two groups, the first k For the oil variable, the 0th and 1st, the 'and'·.·, 'weigh the pieces. The 丄彝 is the vinegar variable. These variables satisfy the following conditions. If we give or can guess the value of vinegar Wei = next

The inverse transformation, 哎箄僧 & + 丨Λ we find F households (, have - (four) m (four) to solve the equation ‘., 录···, pain to a solution or all solutions of the equation). Construct a new touch with the MOVC method. The code system and the new asymmetric MME communication process trace the scary collection into a mail x) UT new public multi-milk gun (Sink, 4), 乂·· 'The collection has a new password It is N and M-4 on 1C. Called '~), where W is inversely ray-transformed into a random selection of vectors in the vector space, I, "~··, merit, %, ..,, ^), i=W; It is built into, and each one is like m), "··"), .. .. coffee, ..., ~)), called mu cool structure two from the oil - cool structure. We will k ( N-^+i) The composition of 27 I3J10J8 1 is transformed into a vector consisting of elements, where ^υ,.,* · ·,^ ... is used as an oil variable as a vinegar variable. Paper, ._,, ~) It is not necessary to be (but can be) a vector transformation axis f consisting of +1) elements, and the orientation is formed; M=WI+W2+. +w,. This new cryptographic communication process consists of two parts. D—a public transformation, that is, a set of (10) new polyvariable polynomials over a finite body or ring k = a process of transforming a value represented as an N-dimensional vector on k into an M-dimensional vector on k; 2) A secret branch, 'that's the way - a process: reversing the cipher key ", ''·'^.•'/^^,...'~:^ two-hearted fossil heart~~ defined transformation (d~),. ·., /^υ, thus by? Get this (or one) value without. The process of r is done in the following steps. First, Ying Yingqing got the intermediate value r ’, _·_<). For (, —.., α, apply π to get the value ',··,~, we use 弋.··,') to indicate. For the (Η) oil-vinegar structure, replace the vinegar variable ν··.Α in the square (x VM', ~ ((,,...,') and solve the equation to get the oil variable \,,..., The solution of Vl. Apply the same treatment process to the first two layers of oil-vinegar structure, and combine the oil variables obtained in one step to obtain the oil variable V~. Then repeat this process layer by layer until the last layer, by This gets all the ~, ~ values, we use V wide to represent. Calculate to, · 乂), and finally get the value A). This public transformation can be used both to encrypt the message and to verify that the signature or authentication code of a 28 1311018 file is truly legal. A secret transformation can be used to decrypt a message or to generate a signature or authentication code for a file. 3.2 MOVC application of oil-and-vinegar signature system We will demonstrate the MOVC method through an example. This example is a new family of signatures, namely Rainbow [DS4], which we applied MOVC to the oil-and-vinegar signature system. 3.2.1 oil-vinegar structure

The oil-vinegar construction method was proposed by Patarin et al. [p^l^pG]. They used it to construct a balanced and unbalanced oil-and-vinegar signature system. The balanced oil-vinegar signature system was first proposed by Patarmp^, but it was attacked by Kipnis and Shamlr [KSl]. The unbalanced family was proposed by Patarin, Kipnis and G〇ubin as an improvement to the equilibrium situation [KPG]. Again, we assume that there is a finite body k, and in the remainder of this section (Section 3.2), our work will go into this finite body k. 5χΟ#ν Integer This—the group variable, called the oil variable, which is the set of variables and the vinegar variable. Hiding this - secret variable and vinegar variable, there is a polynomial of the following form 以 ~)) We call it oil-vinegar polynomial: f{xx,...,x〇,x\,...,x\)= Σ ,αχ.χ'+γ^^ v Let f be a transformation from r” to r, satisfying x , -he Η 29 I3110J8 ^(χι>···,Χ0,χ[,... yv , · . ^ V ~1,,.,0, is a random or specific selection of oil-vinegar multi-worker '^, 4 oil-grade variables, '.X is a set of vinegar variables. / / The value in the mother's heart Y=(, where), It is easy to find Y in k for F to push a sly image, or equivalently, we can find the equation west 1'''··, ',?1,"";〇,.", Do 1, _", especially., '"乂)) = 7 solution, or:, shell soil, we can report the easy calculation of the household's inverse. This can be achieved by first having the value of all the vinegar variables so that the above equation becomes a set of fi^, s) linear equations for all oil variables. If there is a solution to this set of equations, we can easily obtain a solution to the problem. If the equations have no solution, we can repeat the above-mentioned = Naozaki--one solution, which can be guaranteed after a few attempts. [P2][ KPG1] 〇 For the oil-vinegar signature system, the public polynomial is given by +v) ~ '(~...'heart', where 々 is a random or specific selection of reversible ray-like transformation. Note that fine _ ground selection P Maybe we need the reversible affine factor & in front of Jaga. We randomly choose 5, we don't need oil-and-vinegar to sign the early plan as follows. Suppose B〇b wants to build its own oil – the material system. First he chooses As described above, v, f - and A, _ get (~·0 household. He, ., ., _^). For this MpKc of B〇b, its public transmission includes the structure of U body k; ) - Group polynomial %, u. _To disclose its public key, such as on his publicly accessible web page. Let γ (slice ""), which can be either the file itself or the hash value of the file, which can be thought of as a collection of I3J10J8 files. Here the hash process is required to be safe and publicly available. In order to give the legal signature of the file γ, B()b uses its private record P and ;. Then he will, to a value especially ''=(?1,,,) make ~"],, ??) = Bu used the secret difference process as follows. Bob first applies P to the above γ to get - The intermediate value is expressed by "," χ, _). Then apply ρ to , , /" ^ 1?·**5Χ 0+ ) 9 count #出4 (4,.·.^"). We use 〆2) to express this result, which is why you want to The signature. Then BQb will attach the signature to the file ^ 2 Y's hash value, and want to fine-tune which he used - "Na's function. For ^ MCe '- see the connection _ file signature The right person, she will use the following cows to achieve the public saga calculation to verify the authenticity of the document. First she gets #龄佶=need to calculate, 乂) to check if it is really the same as 'k γ is her Owned or by using the same singer as _ ^. If it is indeed - the _ the text of the 'other' is considered to be a pseudo-decrease. Balanced is the purpose. =, it has been Kipnis * Shamif [KS1R breaks H' unbalanced situation means that one of his efficiency is very low. D port 3.2.2 rainbow and multi-layer oil _ vinegar signature system set S as set {1,2, \ stube &lt ;V <v <777<v - ^ ' sigh,..,, to satisfy 11 integers of 1 2 · VU-11, define an integer set (12 1 1,,···,,}, 1 = 31 〇18 I· ·='scale ^.中元_'.令1 Vi - Vj > J ^ ·, , . 7 1. Let P be the next 5:: 'for the set °^1 = 1". The linear space of the quadratic polynomial: 1 ieSl+l x.= are all oil and vinegar transitions, where the state is the oil variable, ^ (four) variable. The fine name ^ (10) I layer 1 layer 酉 all variables. We f i5leS, then There are p.epl<1 with a list of 1 layer of oil and vinegar polynomial set. Show J5 J by suitable way each P|, 1 = 1 u_1#« oil and vinegar more than ten. ^ ., both疋一数.. Private °p' medium mother-polynomial with its oil change 1 ^ as the vinegar variable. The oil and vinegar polynomial in ρ· can be defined as -] 'for oil variables, to x, Ie s, for the vinegar variable. This can be explained by the fact that the heart = Xian 〇;., 〇 〇; = 0. Next we define the transformation F of the rainbow signature system. This is a change from r to k " Vl Satisfaction: Each pumping p, randomly selected.; Quadratic polynomial composition. The household actually has u ^ layer oil vinegar structure, one layer covering layer. The first layer is composed. i polynomials U, ^ into ', satisfy ^ E〇) is an oil variable, and "· es] is a vinegar variable. The i-th layer consists of. 1', 5', composition 'satisfaction; ^, (^ is the oil variable, ', Bumin is the vinegar variable. From this we construct our variables - a rainbow: 32 Ι 3; 〇·18 [Χρ. IX,_ [Xl,. >Χν, ]; {χ

Vj+l 5 · » » >Χ. ν2- ],{Χν2+1,· _ ·,Χ ν3 } ••,xvx¥i,-...,xV2,xV2+l,...,xV3 ];{Χ ·,Χν丨,Χν]+Ι,·, ,χ ν3+1 5 , · .,Χ V4.

[Hey,,

Χν..„ ]; {X

Vu-1+l5

Each line above XJ represents a layer of rainbow. For the first layer above, the vinegar variable in the door is the number of sagas, and the vinegar of each layer contains the vinegar variables of all the layers before it. We call 7 a rainbow polynomial map with u] layers. The designation is two randomly selected reversible affine miscellaneous maps, & side on knv, Li on F. Let the elementary polynomial F(xp · · ·, xn) = L2. F. Li(x" ·.,'), which consists of π n. Suppose Bob wants to build his own rainbow signature system. First he chooses to ride as above and P and get ~ good W. You, .. _'χΛ For B〇b this MPKC 'its public record includes: the structure of the carcass k; 2) the township style set cooperation, ... (4). The intestines disclose his public, for example, can be placed in his publicly accessible second On the web page, let ^,..., where), it can be the file itself, or the hash value of the file can be seen as a collection of files. The hashing process is required to be secure and publicly available. In order to give the legal signature of the document y, Bob uses his private record. The private round consists of. Then he will find a value Υ (χ, ρ·_·'χ" to make a stamp "丨, Or. The secret calculation process is as follows.

Bob first uses the above 2:-1 shore for v, and / for Y to get a value. We denote this 33 uH〇Ji8 yn- value as 〇^,...: Next Bob needs to ask for a household. p(xk morning, B〇b needs to solve the equation. To understand the equation, Bob is random first: Λ: get 1 variable vi,, ' is a variable -, ,, (q) system of equations, solve this Fang she, ▲ y Gan / 廿 / / 0. +1 > · * * 0 13 = only repeat the above paragraph on the oil - vinegar signature system of the inverse of the = get all ', (four). After that Substituting these values into the second-level eve-style towel can get the 'transfer amount, and the slave gets all the W s3. Repeat this process Langland finds a solution. ^何^•・・・・・・・Without solution, Na chooses eve-, and the value Xl,...,Xvi from the beginning. It continues until a solution is found. If the number of layers is not too late, Bob has a high probability of success. We will find the solution that Bob found. It is expressed as. Then, V is applied to (,,-), -X ^ . The gentleman (".··, 夂^计出出^^.../^'), is the result that Bob wants County. Then Β text... after its hash value, and to indicate the secret function he used. For AI1Ce, a person who sees and receives the file/signature pair, she will use the next step to achieve The public ride counts to verify the authenticity of the document. 34 l〇J8 First she gets the F and the hash value (if needed). Then calculate it with ..乂) to check whether it is really with γ_, which is obtained by her. Or through the same hash function as the intestines. If they are the same, then _ is a signed document, which is rejected by forgery. In the rainbow system, the length of the file is Μ, sign The length of the chapter is η and we can make vjbn more tabloids. Therefore, the rainbow system is more efficient than the unbalanced oil-and-vines signature system proposed in [KpG]. 4) The combination of methods. We can combine any two methods. To construct a new MPKC. For example, we can combine the swollen and M〇vc, construct a two-layer MPKC, the first layer uses pMl+, and its variable is used as the vinegar variable for the next layer of oil. In vinegar construction. Similarly, we can combine Ειρ with MOVC. We can also combine the three methods together. 5) The way to construct variants of our method is to choose a special type of polynomial in our method. As thin Polynomials, most of which are zero. The MPKCs in [YC1] and [WHLCY] are examples of rainbows (but they use different construction methods). Ι3·110·18 [Simple description] [Main component symbol description]

Claims (1)

a) - I3J10.18 X. Patent application scope: 1. A cryptographic method applied to a multi-variable male silk code system (Congyi to generate a new multi-variable public weight code system or non-parallel code communication processing, 5 The Xuan multivariable public cryptosystem is a cryptographic communication process, including: public transformations, which will be represented as finite or ring-dimensional vector values X %"·.,") by k-group (m The number of times is a low-order (6) multi-wei type (he, Tai, you, the change to the value of m on the k-dimensional to i γ = (ι test) ' and this transformation is publicly available (four) 'pass (/ ;(Λ",χ"),,仇仇,,A) to calculate, this /, a open ★ can be used by anyone, to force σ---------- The authenticity of the digital authentication code; b) - a secret transformation, that is, using the knowledge of secret secret recording to reverse the transformation defined by (he '...from ··, /々,...,,))), thereby the value γ Get the value X, the process 'where the password knows the legitimate user's heterogeneous transformation to encrypt the 4 heart or generate the file's digital signature or file authentication Ma,· and 0 have previously generated a new family of multivariate public cryptosystems or new asymmetric cryptographic communication processes based on #MPKC, including the following steps: 〇 By adding a small number (r) of random or specific choices The internal variable η Ζί=δ~Άi=w directly adds internal disturbance to the existing MPKC! 311Q18 moves the linear part of ^ (the function that removes the constant term O as \ is linearly independent; 11) adds even eve (α) Random or specially selected polynomial to the preparation of the disturbance _MPICC: t compound reversible ray-like transformation with the screaming face to mix this-cut together so that the new MpKc has a new _change' transformation Finite body or shame on a new set of twisted + α) multivariate polynomial rings, ..., 4·., /two A, '.., xj) will be expressed as the value of kj^n dimensional vector 》,》 Transformed to another—represented as 乂ill) - a secret transformation that uses the cryptographic secrets and addition steps of the original system and the "additional, secret knowledge of the steps to reverse ^h" "'X„:U'/ +m+a(Xi,.,xJ), resulting in the value X from the value 疒. For example, in the method described in the first paragraph of the May patent, the final public polynomial is 2 or more times. Affirming the patent model 1 compensation method 'any choice or particular choice of the eve or miscellaneous can be all random selection of random, can also, choose large ° 系数 coefficient ride and some of the silk is random of. 4. A cryptographic party, this ^ / ' applied to a multivariate public address cryptosystem (MPKq ΛΛ成新 变 公 public key cryptosystem or asymmetric crypto communication processing, its 欠 数 公 public key cryptosystem is a Password communication processing, including: 38 13 take 18 ) public transformation, this transformation will be expressed as a finite body or ring] ^, 11, the inward value X - (χι,._·, \) through a set of (m) times on the low ( The multivariate polynomial of Φ (10), .. also hatred, xj) is transformed into the value Y=(wj, which is the m-dimensional vector on k, and the transformation is obtained by the public's transformation (Chou······························ , Qiu..4))= (1.4) to calculate this, the public transformation can be used by anyone, to force the secret - message or verification - the authenticity of the digital signature or digital authentication code of a document; "With b) A secret transformation, that is, the process of using the secret secret transmission to reverse the transformation defined by (/Χ('ι'···,χ丄··,人(WJ), and thus the value χ from the value Y) , in which a legitimate user who knows the secret password uses a secret transformation to encrypt the message or generate a digital signature of the document or a certified stone horse; and a multi-variable public cryptosystem that is generated on the basis of the previously existing MPKC, __ non-observation code miscellaneous processing, package the steps ^ „ . '..., leaf double number 1 = w and add - some specific choice of polynomial items Existing MPKCs add internal perturbations, some of which (excluding the constant term 〇 as a function is ',,, and the polynomial term of the particular choice is the product of the polynomial term in the system of the internal variable "virtual ="; PKC body 39 1311018 = Mixing all this by a random or specially selected reversible ray-like transformation, so that the new MPM has a new transformation, which passes a new set of finite bodies or loops k) The multivariate term (/; Uw)) converts the value XL expressed as an n-dimensional vector on k to another value represented as a k±m-dimensional vector··, }„); and -) a secret transformation, This transformation is reversed by the steps of the original system and the mixing step * and the knowledge of the secret of adding e ((ϊι,··..'χ丄·•,八心..·,~)) to get the value Y Value χ 5. 5. If you apply for the special _ 4 妓 妓, the last public or higher. Item 疋 2: The method described in item 4, any random transfer or special... Evening items or miscellaneous records sighs with the money, and chooses from the majority of the singularity and a certain butterfly. Oil - gf multi-variable password money (MpKc - vinegar multi-variable public key dense multi-layer oil - vinegar structure is connected - the amount of money generated by the ^, through or asymmetric Mummy communication processing, its t;: by A, The progressive system is a cryptographic communication process, including ·· a) - public transformation 'this transformation will be expressed as the value of the finite body I vector X = (xx) iti§k on the n-dimensional trajectory, the solid M number is The polynomial polynomial of low order 40 (d) (t_"u.··, the hatred is replaced by the value γ=υ expressed as k, 隹, and this transformation is publicly payable. , Qiu, Shen, 乂) to calculate, suitable for the public transformation can be made by anyone to Xiao, to encrypt - the message of Wei Wei - the authenticity of the signature of a document or the number of health certificates; / Secret 9 (4) 'That is the secret secret lie knowledge to reverse the transformation defined by (/i(i,,J"._, /w(x], . . . , &)) to get the value X from the value γ. The legitimate user of the password secret uses the secret transformation to encrypt the digital signature of the U generated file or the authentication code of the file; (/i(P '\)"..//((i), can be decomposed into Three transformations Compound: ^^'''"^,···, ◎, ^^,..., which recognizes that the transformed composite Ά is a reversible ray-like transformation of 々" and d, respectively, such that 1 (1, 1, 33⁄4 ),···, person (X!,·,,')) is given in the following way, the set of variables 分为 is divided into two groups, W is the first group, called the oil variable; is the second group called the hearing variable And we can use Qiu Qing's inverter to guess the value of the vinegar variable, there is a fast algorithm "Χ") = (~··_'Λ) (or find one or the secret of the equation; ===== 1311018 i) Divide the variables into oil and vinegar variables of different layers so that the oil-vine structure can be used in each layer and the variables in the previous layer of the layer (all oil and vinegar variables) become the vinegar variables of this layer. And ii) mixing this all by the compound random or specific selection of reversible affine transformations. This new MPKC has this transformation that requires the secrets of the division and mixing steps. ' 8. If the method described in item 7 of the patent application is sub- or higher. 'The last public polynomial is 2, as described in the scope of claim 7, the polynomial or linear function of any <RTIgt; can be all coefficient selection = to select most of the coefficients to be zero and some special coefficients are random Choice 42